Commit files for public release

nixos-configurations/cyprianspitz/README.md

@@ -0,0 +1,32 @@
+# Host: Cyprianspitz
+
+## Operations {#_operations}
+
+Reboot requires passphrase.
+
+``` bash
+# Get HDD Password:
+sops decrypt --extract '["system"]["hdd"]' private/nixos-configurations/cyprianspitz/secrets.sops.yaml
+
+ssh -p 8223 -J root@calanda.plessur-ext.net.qo.is
+```
+
+## Hardware
+
+TODO
+
+- [Mainboard Manual](docs/z790m-itx-wifi.pdf)
+
+
+
+### Top Overview
+
+![](docs/top-view.jpg)
+
+### PCIE Side
+
+![](docs/pcie-side.jpg)
+
+### HDD Bay
+
+Note that slot 5 (the leftmost) SATA bay is not connected due to the mainboard only having 4 SATA plugs.

nixos-configurations/cyprianspitz/applications/backup.nix

@@ -0,0 +1,12 @@
+{ pkgs, config, ... }:
+
+{
+  qois.backup-server = {
+    enable = true;
+    backupStorageRoot =
+      let
+        dataDrive = config.disko.devices.lvm_vg.vg_data.lvs.lv_data.content.mountpoint;
+      in
+      dataDrive + "/backup";
+  };
+}

nixos-configurations/cyprianspitz/applications/default.nix

@@ -0,0 +1,10 @@
+{ config, pkgs, ... }:
+{
+
+  imports = [
+    ./backup.nix
+    ./vpn.nix
+  ];
+
+  qois.loadbalancer.enable = true;
+}

nixos-configurations/cyprianspitz/applications/vpn.nix

@@ -0,0 +1,4 @@
+{ config, pkgs, ... }:
+{
+  qois.vpn-server.enable = true;
+}

nixos-configurations/cyprianspitz/default.nix

@@ -0,0 +1,28 @@
+{ config, pkgs, ... }:
+
+{
+  imports = [
+    ./applications
+    ./disko-config.nix
+    ./filesystems.nix
+    ./networking.nix
+    ./secrets.nix
+    ./virtualisation.nix
+
+    ../../defaults/hardware/asrock-z790m.nix
+
+    ../../defaults/base
+    ../../defaults/meta
+  ];
+
+  # Set your time zone.
+  time.timeZone = "Europe/Amsterdam";
+
+  # This value determines the NixOS release from which the default
+  # settings for stateful data, like file locations and database versions
+  # on your system were taken. It‘s perfectly fine and recommended to leave
+  # this value at the release version of the first install of this system.
+  # Before changing this value read the documentation for this option
+  # (e.g. man configuration.nix or on https://nixos.org/nixos/options.html).
+  system.stateVersion = "24.05"; # Did you read the comment?
+}

nixos-configurations/cyprianspitz/disko-config.nix

@@ -0,0 +1,132 @@
+{ pkgs, ... }:
+{
+  disko.devices = {
+    disk = rec {
+      data-1 = {
+        type = "disk";
+        device = "/dev/disk/by-id/ata-ST16000NM000J-2TW103_ZRS110XA";
+        content = {
+          type = "gpt";
+          partitions = {
+            raid_data = {
+              size = "100%";
+              content = {
+                type = "mdraid";
+                name = "raid_data";
+              };
+            };
+          };
+        };
+      };
+      #data-2 = { # TODO
+      #  type = "disk";
+      #  device = "/dev/disk/by-id/ata-TODO";
+      #  content = data-1.content;
+      #};
+      system-1 = {
+        type = "disk";
+        device = "/dev/disk/by-id/nvme-Lexar_SSD_NM790_1TB_NL8052R000144P2202";
+        content = {
+          type = "gpt";
+          partitions = {
+            boot = {
+              size = "1G";
+              type = "EF00";
+              content = {
+                type = "filesystem";
+                format = "vfat";
+                mountpoint = "/boot-primary";
+              };
+            };
+            raid_system = {
+              start = "5G";
+              size = "100%";
+              content = {
+                type = "mdraid";
+                name = "raid_system";
+              };
+            };
+          };
+        };
+      };
+      system-2 = {
+        type = "disk";
+        device = "/dev/disk/by-id/nvme-Lexar_SSD_NM790_1TB_NL8052R002402P2202";
+        content = pkgs.lib.recursiveUpdate system-1.content {
+          partitions.boot.content.mountpoint = "/boot-secondary";
+        };
+      };
+    };
+
+    mdadm = {
+      "raid_system" = {
+        type = "mdadm";
+        level = 1;
+        content = {
+          type = "luks";
+          name = "crypted_system";
+          passwordFile = "/run/secrets/system/hdd.key";
+          settings = {
+            allowDiscards = true;
+            bypassWorkqueues = true;
+          };
+          content = {
+            type = "lvm_pv";
+            vg = "vg_system";
+          };
+        };
+      };
+      "raid_data" = {
+        type = "mdadm";
+        level = 1;
+        content = {
+          type = "luks";
+          name = "crypted_data";
+          passwordFile = "/run/secrets/system/hdd.key";
+          settings.allowDiscards = true;
+          content = {
+            type = "lvm_pv";
+            vg = "vg_data";
+          };
+        };
+      };
+    };
+    lvm_vg = {
+      vg_data = {
+        type = "lvm_vg";
+        lvs = {
+          lv_data = {
+            size = "14TB";
+            content = {
+              type = "filesystem";
+              format = "btrfs";
+              mountpoint = "/mnt/data";
+              mountOptions = [
+                "defaults"
+                "noatime"
+              ];
+            };
+          };
+        };
+      };
+      vg_system = {
+        type = "lvm_vg";
+        lvs = {
+          hv_cyprianspitz = {
+            size = "100GiB";
+            content = {
+              type = "btrfs";
+              mountOptions = [
+                "defaults"
+                "noatime"
+              ];
+              subvolumes = {
+                "/root".mountpoint = "/";
+              };
+            };
+          };
+        };
+      };
+    };
+  };
+}

nixos-configurations/cyprianspitz/filesystems.nix

@@ -0,0 +1,36 @@
+{ config, pkgs, ... }:
+{
+
+  # Configurations are set in disko-config.nix!
+
+  # mdadm.conf generated by `mdadm --detail --scan`
+  # TODO
+  boot.swraid.enable = true;
+  boot.swraid.mdadmConf = ''
+    MAILADDR root
+  '';
+
+  # TODO: RAID Monitoring
+  # TODO: Set spin-down time of physical disks
+
+  services.fwupd.daemonSettings.EspLocation = pkgs.lib.mkForce config.disko.devices.disk.system-1.content.partitions.boot.content.mountpoint;
+
+  # Use the systemd-boot EFI boot loader.
+  boot.loader.efi.canTouchEfiVariables = true;
+  boot.loader.grub = {
+    enable = true;
+    efiSupport = true;
+    mirroredBoots = [
+      {
+        devices = [ "nodev" ];
+        path = "/boot-primary";
+        efiBootloaderId = "NixOS primary";
+      }
+      {
+        devices = [ "nodev" ];
+        path = "/boot-secondary";
+        efiBootloaderId = "NixOS secondary";
+      }
+    ];
+  };
+}

nixos-configurations/cyprianspitz/networking.nix

@@ -0,0 +1,97 @@
+{ config, pkgs, ... }:
+
+let
+  meta = config.qois.meta;
+in
+{
+  networking.hostName = meta.hosts.cyprianspitz.hostName;
+
+  imports = [ ../../defaults/backplane-net ];
+
+  networking.useDHCP = false;
+  networking.interfaces.enp0s31f6.useDHCP = true;
+  networking.interfaces.enp2s0.useDHCP = true;
+
+  # Virtualization
+  networking.interfaces.vms-nat.useDHCP = false;
+  networking.interfaces.vms-nat.ipv4.addresses = [
+    (
+      let
+        netConfig = meta.network.virtual.cyprianspitz-vms-nat;
+      in
+      {
+        address = netConfig.hosts.cyprianspitz.v4.ip;
+        prefixLength = netConfig.v4.prefixLength;
+      }
+    )
+  ];
+
+  networking.bridges.vms-nat.interfaces = [ ];
+  networking.nat = {
+    enable = true;
+    internalInterfaces = [ "vms-nat" ];
+    internalIPs = with meta.network.virtual.cyprianspitz-vms-nat.v4; [
+      "${id}/${builtins.toString prefixLength}"
+    ];
+    externalInterface = "enp0s31f6";
+  };
+  services.dnsmasq =
+    let
+      netConfig = meta.network.virtual.cyprianspitz-vms-nat;
+    in
+    {
+      enable = true;
+      resolveLocalQueries = false;
+      settings = {
+        interface = "vms-nat";
+        bind-interfaces = true;
+
+        domain-needed = true;
+
+        domain = netConfig.domain;
+        dhcp-range = [ "10.248.0.2,10.248.0.253" ];
+        dhcp-option = [
+          "option:router,${netConfig.hosts.cyprianspitz.v4.ip}"
+          "option:domain-search,${netConfig.domain}"
+        ];
+        dhcp-authoritative = true;
+      };
+    };
+  systemd.services.dnsmasq.bindsTo = [ "network-addresses-vms-nat.service" ];
+  networking.firewall.interfaces.vms-nat = {
+    allowedUDPPorts = [
+      53
+      67
+    ];
+    allowedTCPPorts = [ 53 ];
+  };
+
+  # Boot
+  boot.initrd.network.udhcpc.enable = true;
+
+  services.qois.luks-ssh = {
+    enable = true;
+    interface = "eth0";
+    sshPort = 2222;
+    sshHostKey = "/secrets/system/initrd-ssh-key";
+    # TODO Solve sops dependency porblem: config.sops.secrets."system/initrd-ssh-key".path;
+  };
+
+  # Configure this node to be used as an vpn exit node
+  qois.backup-client.includePaths = [ "/var/lib/tailscale" ];
+  services.tailscale = {
+    enable = true;
+    openFirewall = true;
+    useRoutingFeatures = "server";
+    authKeyFile = config.sops.secrets."tailscale/key".path;
+    extraUpFlags = [
+      "--login-server=https://vpn.qo.is"
+      "--advertise-exit-node"
+      (
+        with meta.network.virtual.backplane.v4; "--advertise-routes=${id}/${builtins.toString prefixLength}"
+      )
+      "--advertise-tags=tag:srv"
+    ];
+  };
+
+}

nixos-configurations/cyprianspitz/secrets.nix

@@ -0,0 +1,10 @@
+{ ... }:
+{
+  sops.secrets = {
+    "system/hdd" = { };
+    "system/initrd-ssh-key" = { };
+    "tailscale/key" = {
+      restartUnits = [ "tailscaled.service" ];
+    };
+  };
+}

nixos-configurations/cyprianspitz/virtualisation.nix

@@ -0,0 +1,8 @@
+{ config, pkgs, ... }:
+{
+  virtualisation.libvirtd = {
+    enable = true;
+    onShutdown = "shutdown";
+  };
+  environment.systemPackages = [ pkgs.virtiofsd ];
+}